#!/bin/bash -x
#
# NextCloud Service

PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

config_nextcloud() {
  echo -ne "* Configuring nextcloud container.."

  if [ ! -d "/federated/apps/nextcloud" ]; then
    mkdir -p /federated/apps/nextcloud/data/root &> /dev/null
    mkdir -p /federated/apps/nextcloud/data/home &> /dev/null
    mkdir -p /federated/apps/nextcloud/data/var/www/html &> /dev/null
    mkdir -p /federated/apps/nextcloud/data/var/www/html/custom_apps &> /dev/null
    mkdir -p /federated/apps/nextcloud/data/var/www/config &> /dev/null
    mkdir -p /federated/apps/nextcloud/data/var/www/data &> /dev/null
    mkdir -p /federated/apps/nextcloud/data/usr/local/etc/php/conf.d &> /dev/null
  fi
  get_appvars

cat > /federated/apps/nextcloud/docker-compose.yml <<EOF
services:
  nextcloud:
    image: nextcloud:\${IMAGE_VERSION}
    container_name: nextcloud
    hostname: nextcloud.$DOMAIN
    restart: always
#    working_dir: /var/www/html
    networks:
      core:
        ipv4_address: 192.168.0.18
    extra_hosts:
      - "collabora.$DOMAIN:$EXTERNALIP"
    volumes:
      - ./data/root:/root
      - ./data/home:/home
      - ./data/var/www/html:/var/www/html
      - ./data/var/www/html/custom_apps:/var/www/html/custom_apps
      - ./data/var/www/config:/var/www/config
      - ./data/var/www/data:/var/www/data
      - ./data/usr/local/etc/php/conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini
      - ./data/usr/local/etc/php/conf.d/docker-php-ext-apcu.ini:/usr/local/etc/php/conf.d/docker-php-ext-apcu.ini
    env_file:
      - ./.env
    secrets:
      - federated_psql_password
      - federated_nextcloud_password
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.rule=Host(\`nextcloud.$DOMAIN\`)"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-redirectregex1,nextcloud-redirectregex2,nextcloudheader"
      - "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.regex=https?://([^/]*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.replacement=https://\$\${1}/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.regex=https?://([^/]*)(/.well-known[^#]*)"
      - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.replacement=https://\$\${1}/index.php\$\${2}"
      - "traefik.http.middlewares.nextcloudheader.headers.stsSeconds=15552000"
      - "traefik.http.middlewares.nextcloudheader.headers.stsIncludeSubdomains=true"
      - "traefik.http.middlewares.nextcloudheader.headers.stsPreload=true"
      - "traefik.http.middlewares.nextcloudheader.headers.forceSTSHeader=true"

secrets:
  federated_psql_password:
    file: ./.postgresql.secret
  federated_nextcloud_password:
    file: ./.nextcloud.secret
networks:
  core:
    external: true
EOF

NEXTCLOUD_SECRET=$(create_password)
echo "$NEXTCLOUD_SECRET" > /federated/apps/nextcloud/.postgresql.secret
echo "$ADMINPASS" > /federated/apps/nextcloud/.nextcloud.secret
chmod 600 /federated/apps/nextcloud/.postgresql.secret /federated/apps/nextcloud/.nextcloud.secret

# Create database and user in postgresql
docker exec postgresql psql -U postgres -c "CREATE DATABASE nextcloud" &> /dev/null
docker exec postgresql psql -U postgres -c "CREATE USER nextcloud WITH PASSWORD '$NEXTCLOUD_SECRET'" &> /dev/null
docker exec postgresql psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud" &> /dev/null

cat > /federated/apps/nextcloud/.env <<EOF
IMAGE_VERSION=$(current_version nextcloud)
NEXTCLOUD_UPDATE=1
PHP_MEMORY_LIMIT=2048M
PHP_UPLOAD_LIMIT=2048M
TRUSTED_PROXIES=192.168.0.0/16
NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.$DOMAIN
NEXTCLOUD_ADMIN_USER=nextcloud
NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/federated_nextcloud_password
POSTGRES_HOST=postgresql.$DOMAIN
POSTGRES_DB=nextcloud
POSTGRES_USER=nextcloud
POSTGRES_PASSWORD_FILE=/run/secrets/federated_psql_password
EOF
chmod 600 /federated/apps/nextcloud/.env

cat > /federated/apps/nextcloud/data/usr/local/etc/php/conf.d/opcache-recommended.ini <<EOF
opcache.enable=1
opcache.interned_strings_buffer=32
opcache.max_accelerated_files=18000
opcache.memory_consumption=256
opcache.save_comments=1
opcache.revalidate_freq=60
EOF

cat > /federated/apps/nextcloud/data/usr/local/etc/php/conf.d/docker-php-ext-apcu.ini <<EOF
extension=apcu
apc.enable_cli=1
apc.shm_size=256M
apc.ttl=3600
apc.user_ttl=7200
apc.gc_ttl=3600
apc.max_file_size=2M
EOF

#if [[ "$BUNDLE" = "starter" ]]; then
#  sed -i "s/2048M/96M/g" /federated/apps/nextcloud/.env
#  sed -i "s/256/64/g" /federated/apps/nextcloud/data/usr/local/etc/php/conf.d/opcache-recommended.ini
#  sed -i "s/256M/64M/g" /federated/apps/nextcloud/data/usr/local/etc/php/conf.d/docker-php-ext-apcu.ini
#fi

cat > /federated/apps/nextcloud/data/configs.json <<EOF
{
   "system": {
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "nextcloud",
        "mail_domain": "$DOMAIN",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "mail.$DOMAIN",
        "mail_smtpport": "587",
        "mail_smtpname": "fcore",
        "mail_smtppassword": "$ADMINPASS"
   },
   "apps": {
        "core": {
            "backgroundjobs_mode": "cron"
	}
   }
}
EOF

cat > /federated/apps/nextcloud/data/config.sh <<EOF
#!/bin/sh

PATH=/var/www/html:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/sbin:/bin

/var/www/html/occ app:enable user_ldap
/var/www/html/occ ldap:create-empty-config
/var/www/html/occ ldap:set-config s01 ldapHost 'ldaps://ldap.$DOMAIN'
/var/www/html/occ ldap:set-config s01 ldapAgentName cn=admin,dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
/var/www/html/occ ldap:set-config s01 ldapAgentPassword $LDAP_SECRET
/var/www/html/occ ldap:set-config s01 ldapBase ou=people,dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
/var/www/html/occ ldap:set-config s01 ldapBaseGroups ou=groups,dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
/var/www/html/occ ldap:set-config s01 ldapBaseUsers ou=people,dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
/var/www/html/occ ldap:set-config s01 ldapEmailAttribute mail
/var/www/html/occ ldap:set-config s01 ldapGidNumber gidNumber
/var/www/html/occ ldap:set-config s01 ldapGroupDisplayName cn
/var/www/html/occ ldap:set-config s01 ldapGroupFilter '(&(|(objectclass=posixGroup)))'
/var/www/html/occ ldap:set-config s01 ldapGroupFilterMode 0
/var/www/html/occ ldap:set-config s01 ldapGroupFilterObjectclass inetOrgPerson
/var/www/html/occ ldap:set-config s01 ldapGroupMemberAssocAttr uniqueMember
/var/www/html/occ ldap:set-config s01 ldapLoginFilter '(&(|(objectclass=inetOrgPerson))(uid=%uid))'
/var/www/html/occ ldap:set-config s01 ldapLoginFilterEmail 0
/var/www/html/occ ldap:set-config s01 ldapLoginFilterMode 0
/var/www/html/occ ldap:set-config s01 ldapLoginFilterUsername 1
/var/www/html/occ ldap:set-config s01 ldapLoginFilterEmail 0
/var/www/html/occ ldap:set-config s01 ldapMatchingRuleInChainState unknown
/var/www/html/occ ldap:set-config s01 ldapNestedGroups 0
/var/www/html/occ ldap:set-config s01 ldapPagingSize 500 
/var/www/html/occ ldap:set-config s01 ldapPort 636
/var/www/html/occ ldap:set-config s01 ldapTLS 1 
/var/www/html/occ ldap:set-config s01 ldapUserAvatarRule default
/var/www/html/occ ldap:set-config s01 ldapUserDisplayName cn
/var/www/html/occ ldap:set-config s01 ldapUserFilter '(|(objectclass=inetOrgPerson))'
/var/www/html/occ ldap:set-config s01 ldapUserFilterMode 0 
/var/www/html/occ ldap:set-config s01 ldapUserFilterObjectclass inetOrgPerson
/var/www/html/occ ldap:set-config s01 ldapUuidGroupAttribute auto
/var/www/html/occ ldap:set-config s01 ldapUuidUserAttribute auto 
/var/www/html/occ ldap:set-config s01 turnOffCertCheck 0 
/var/www/html/occ ldap:set-config s01 turnOnPasswordChange 0 
/var/www/html/occ ldap:set-config s01 useMemberOfToDetectMembership 1 
/var/www/html/occ ldap:set-config s01 ldapConfigurationActive 1 
/var/www/html/occ ldap:set-config s01 ldap_expert_username_attr uid
/var/www/html/occ ldap:set-config s01 ldap_display_name cn
/var/www/html/occ config:system:set overwriteprotocol --value=https
/var/www/html/occ config:system:set default_phone_region --value="$COUNTRY"
/var/www/html/occ config:system:delete trusted_domains
/var/www/html/occ config:system:set trusted_domains 1 --value=*
/var/www/html/occ config:system:set auto_logout --value=false
/var/www/html/occ config:system:set allow_local_remote_servers --value=true
/var/www/html/occ group:adduser admin admin
/var/www/html/occ user:delete nextcloud
/var/www/html/occ app:enable mail
/var/www/html/occ app:enable calendar
/var/www/html/occ app:enable contacts
/var/www/html/occ app:enable notes
/var/www/html/occ app:enable deck
/var/www/html/occ app:enable tasks
/var/www/html/occ app:enable bookmarks
/var/www/html/occ app:enable forms
/var/www/html/occ app:enable spreed
/var/www/html/occ app:enable richdocuments
/var/www/html/occ config:app:set --value https:\/\/collabora.$DOMAIN richdocuments public_wopi_url
/var/www/html/occ config:app:set --value https:\/\/collabora.$DOMAIN richdocuments wopi_url
/var/www/html/occ config:app:set --value ooxml richdocuments doc_format
/var/www/html/occ config:app:set --value "" richdocuments disable_certificate_verification
/var/www/html/occ config:system:set maintenance_window_start --value=1 --type=integer
/var/www/html/occ config:import configs.json
EOF

chmod +x /federated/apps/nextcloud/data/config.sh

  echo -ne "done.\n"
}
start_nextcloud() {
  # Start service with command to make sure it's up before proceeding
  start_service "nextcloud" "nc -z 192.168.0.18 80 &> /dev/null" "60"

  # Move config.sh and sidemenu config, set config.sh executable
  run_command "mv /federated/apps/nextcloud/data/config.sh /federated/apps/nextcloud/data/configs.json /federated/apps/nextcloud/data/var/www/html/"
  run_command "docker exec nextcloud chown www-data:root /var/www/html/config.sh /var/www/html/configs.json"
  run_command "docker exec nextcloud chmod 755 /var/www/html/config.sh"

  # Run config.sh - Setup LDAP, configuration for nextcloud
  run_command "docker exec -u 33 nextcloud /var/www/html/config.sh"

  # Add admin user to group
  # Have to do it this many times so it will query LDAP and populate admin user first
  run_command "docker exec -u 33 nextcloud /var/www/html/occ ldap:search admin"
  run_command "docker exec -u 33 nextcloud /var/www/html/occ group:list"
  run_command "docker exec -u 33 nextcloud /var/www/html/occ group:adduser admin admin"
  run_command "docker exec -u 33 nextcloud /var/www/html/occ group:adduser admin admin"
  run_command "docker exec -u 33 nextcloud /var/www/html/occ group:list"

  # Setup admin email account
#  docker exec -u 33 nextcloud bash -c "/var/www/html/occ mail:account:create admin admin admin@$DOMAIN mail.$DOMAIN 993 ssl admin@$DOMAIN $ADMINPASS mail.$DOMAIN 465 ssl admin@$DOMAIN $ADMINPASS password" &> /dev/null || failts "ERROR - There was an error running occ mail:account:create"
  run_command "docker exec -u 33 nextcloud /var/www/html/occ mail:account:create admin admin admin@$DOMAIN mail.$DOMAIN 993 ssl admin@$DOMAIN $ADMINPASS mail.$DOMAIN 465 ssl admin@$DOMAIN $ADMINPASS password"

  # Add missing indexes and disable activity app
  run_command "docker exec -u 33 nextcloud /var/www/html/occ db:add-missing-indices"
  run_command "docker exec -u 33 nextcloud /var/www/html/occ app:disable activity"

  # Make sure pdns is ready before adding the records
  /federated/bin/fix pdnsmysql
  run_command "docker exec pdns pdnsutil add-record $DOMAIN nextcloud A 86400 $EXTERNALIP"

  # Remove configs
  run_command "rm /federated/apps/nextcloud/data/var/www/html/config.sh /federated/apps/nextcloud/data/var/www/html/configs.json"

  # Truncate nextcloud log file
  run_command "docker exec -u 33 nextcloud truncate /var/www/html/data/nextcloud.log --size 0"

  echo -ne "done.\n"
}
uninstall_nextcloud() {
  echo -ne "* Uninstalling nextcloud container.."

  # First stop the service
  cd /federated/apps/nextcloud && docker compose -f docker-compose.yml -p nextcloud down &> /dev/null

  # Delete database and user in postgresql
  docker exec postgresql psql -U postgres -c "DROP DATABASE nextcloud" &> /dev/null
  docker exec postgresql psql -U postgres -c "DROP USER nextcloud" &> /dev/null

  # Delete the app directory
  rm -rf /federated/apps/nextcloud

  # Delete the image
  docker image rm nextcloud:$IMAGE_VERSION &> /dev/null

  # Delete the DNS record
  docker exec pdns pdnsutil delete-rrset $DOMAIN nextcloud A

  # Uninstall the SSO configuration if it exists in authelia (authelia must exist too)
  if [[ $(grep "### Nextcloud" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]]; then
    sed -i '/### Nextcloud/,/### /{/### PowerDNS/!{/### /!d}}' /federated/apps/authelia/data/config/idproviders.yml
    sed -i '/### Nextcloud/d' /federated/apps/authelia/data/config/idproviders.yml
    /federated/bin/stop authelia &> /dev/null
    /federated/bin/start authelia &> /dev/null
  fi

  echo -ne "done.\n"
}
configsso_nextcloud() {
  echo -ne "* Configuring nextcloud container with SSO.."

  [ ! -d "/federated/apps/authelia" ] && failcheck "Authelia is not installed. You need this first before continuing."
  [ ! -f "/federated/apps/authelia/data/config/idproviders.yml" ] && failcheck "Authelia idproviders.yml is missing."
  get_appvars
  [[ $(grep "### Nextcloud" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]] && failcheck "Authelia already has a Nextcloud configuration."

  NEXTCLOUD_CLIENT_SECRET=$(create_password);
  NEXTCLOUD_CLIENT_SECRET_HASH=$(docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --password $NEXTCLOUD_CLIENT_SECRET | awk '{ print $2 }')
  echo "$NEXTCLOUD_CLIENT_SECRET" > /federated/apps/nextcloud/.nextcloud.client.secret

cat >> /federated/apps/authelia/data/config/idproviders.yml <<EOF
      ### Nextcloud
      - client_id: 'nextcloud'
        client_name: 'NextCloud'
        client_secret: $NEXTCLOUD_CLIENT_SECRET_HASH
        consent_mode: 'implicit'
        public: false
        authorization_policy: 'one_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://nextcloud.$DOMAIN/apps/user_oidc/code'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
EOF

  add_authelia_config_to_dockercompose "nextcloud" "$EXTERNALIP"

  # Restart Authelia for changes to take the above configuration
  run_command "/federated/bin/stop authelia"
  run_command "/federated/bin/start authelia"

  run_command "docker exec -u 33 nextcloud /var/www/html/occ config:system:set allow_local_remote_servers --value=true"
  run_command "docker exec -u 33 nextcloud /var/www/html/occ app:enable user_oidc"
  run_command "docker exec -u 33 nextcloud /var/www/html/occ config:system:set --value=true --type=boolean user_oidc use_pkce"
  run_command "docker exec -u 33 nextcloud /var/www/html/occ user_oidc:provider Authelia --clientid="nextcloud" --clientsecret="$NEXTCLOUD_CLIENT_SECRET" --discoveryuri="https://authelia.$DOMAIN/.well-known/openid-configuration" --mapping-uid=name --endsessionendpointuri=https://authelia.$DOMAIN/logout?rd=https://dashboard.$DOMAIN"

  run_command "/federated/bin/stop nextcloud"
  run_command "/federated/bin/start nextcloud"

  echo -ne "done.\n"
}